Full Access permissions in Exchange is not possible due to company security policy. So we need a flexible way to set
ApplicationImpersonation permission for connecting user to cover a specific list of users (synchronized mailboxes) in Exchange.
MS Exchange allows more fine-grained with help of
ApplicationImpersonation role and customizable Management Scopes. It is possible to manage the list of users with help of Exchange Distribution Groups. So if synchronization should be enabled/disabled for a specific user then it should be added/removed from the execution group correspondingly.
Add distribution group to contain users for sync:
Here we create a group named
crmAEsync. We will need this group later.
Right click on the group and choose
Memebers tab and choose
Now you need to use
Exchange Management Shell:
Here is the script that should be executed.
$groupidentity = $(Get-DistributionGroup crmAEsync).Identity.DistinguishedName New-ManagementScope –Name:"CRMSyncScope" –RecipientRestrictionFilter "MemberOfGroup -eq '$groupidentity'" New-ManagementRoleAssignment –Name:"CRMSyncRole" –Role:ApplicationImpersonation –User:<username> –CustomRecipientWriteScope:"CRMSyncScope"
<username> is login name of user connecting to CRM. This user will be able to impersonate everyone from the distribution group.